Networking flaw opens ‘millions’ of iOS app users to data theft

Around 1,000 iOS apps are affected by a weakness in their mobile security which can make it easy for attackers to access encrypted data like passwords, bank account numbers and home addresses as they are being sent over the airwaves, according to a report from security firm SourceDNA.

Companies including Microsoft, Uber and Yahoo all released apps affected by the flaw – they have now fixed them but many others still have not updated their apps to a new secure version.

The affected apps all share the same code, available for free to help developers incorporate encryption into their programmes. Called AFNetworking, the code library was revealed to have a flaw in its implementation of SSL, the web security technology that allows sensitive data to be exchanged over the net. It was introduced in January, and fixed in late March, but 1,000 or so apps are still running the vulnerable version.

An unknown number of apps running the vulnerable version will still be safe to use, however, since the flaw is only present if the developers of the app leave a specific setting unchanged from its default.

SourceDNA scanned all the free apps, as well as the top 5,000 paid ones, available on the iOS App Store, to find apps that are still vulnerable. Out of the 1m-plus apps scanned, the firm found 100,000 which used AFNetworking; of those, 20,000 had been released since the vulnerability was introduced into the library.

“Our system then scanned those apps with the differential signatures to see which ones actually had the vulnerable code,” the company writes. “The results? 55% had the older but safe 2.5.0 code, 40% were not using the portion of the library that provides the SSL API, and 5% or about 1,000 apps had the flaw.

“Are these apps important? We compared them against our rank data and found some big players: Yahoo!, Microsoft, Uber, Citrix, etc. It amazes us that an open-source library that introduced a security flaw for only six weeks exposed millions of users to attack.” Microsoft, Uber and Yahoo have since fixed their vulnerable apps, and users should update to the latest version, but Citrix, makers of a popular conference call software solution, remain vulnerable.

The company has created an online tool for developers to check if their own apps are vulnerable, and users can check for themselves whether they use an app that is or has been affected by entering the name of the apps’ publisher.

The AFNetworking vulnerability makes it easy for an attacker to crack a type of encryption called SSL. This is best known to most users as the technology that secures e-commerce transactions, typically marked with a padlock symbol in the browser bar, but it is increasingly widely used to protect user privacy against all sorts of attackers, from government eavesdroppers to identity thieves.

Without SSL, or similar encryption, internet traffic can be intercepted through a “man-in-the-middle” attack, where an attacker routes traffic through their own computers to alter or steal it. A typical scenario for such an attack would be against a customer browsing free Wi-Fi in a coffee shop; but there’s little technical difference between that and the systematic surveillance practiced by Western intelligence agencies.

Like the OpenSSL Heartbleed bug before it, which catastrophically broke millions of servers worldwide, the flaw in AFNetworking could raise questions about the longstanding assumption that open-source software (where the source code is public and can be reused freely) is inherently more secure. Despite the 100,000 apps using AFNetworking, the bug still took more than a month to be discovered